Archive

This week Gareth Wright reported that Facebook’s app for iOS has a security vulnerability through which malicious users can access login credentials saved in a .plist file of the app. With a copy of that .plist file malicious users could automatically log into the affected user’s Facebook account on another device. Reportedly, the vulnerability also exists on Android devices.

Wright describes several different ways in which your login credentials could be obtained by a malicious user, including hidden applications installed on shared PCs, customized apps, or modified speaker dock that could copy your plist.

According to Facebook, the issue only affects jailbroken or lost devices, as it requires physical access or installation of a custom app on the device. But Wright and The Next Web pointed out that simply plugging into any device would be sufficient for malicious users to gather these files.

The Next Web has confirmed that Dropbox for iOS is also vulnerable to this issue. Given that two such high-profile apps as Facebook and Dropbox are vulnerable to credential theft, it is likely that other apps are also affected by the issue.

As many reports note, this method of gathering login credentials is not actively utilized in a malicious manner, and users can protect their data for the time being by not plugging their devices into shared computers and charging stations.